Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust. Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust. Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust. Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust. Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust. Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust. Sam Morris wrote: > On 22/07/2024 11:44, Jonathan Oxidnation via FreeIPA-users wrote: > > Hello everybody, > > I have a question about the objects created when we establish a trust > > between freeipa servers and an Active Directory Microsoft. > > There is something that could refresh the objects to renew the sensitive > > data? > > In my situation I used a AD account (with admin privileges) to create the > > trust. But after several months, the objects do not refresh themself. > > (WhenChanged attribute on the AD side has an old date) > > This question comes from our security team asking to renew the object to > > guarantee the security of the trust. > > Regards, > > Would re-running 'ipa trust-add' do what you want? > You should check the documentation, but I'm pretty sure it's safe to > re-run it, and it will re-use the existing id ranges. We did this when > upgrading from a one-way to a two-way trust.
Hello Sam, Thank for your answer. We done some tests and re-do the "trust-add". That updates correctly the objects both side as you mention it. I was hoping that could be done autonomously somewhere like Microsoft does when two AD has a trust between them. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue